Security operations center
A Security Operation Center (SOC ) is a center that provides services for computer security provides a method for the prevention and treatment of unforeseen difficulties. The purpose of this infrastructure is the prevention of the risk, which includes all activities of computer security with the help of centralization and analysis of all human resources as well as the hardware and software to manage the security system. A structure of this type is kept for 24 hours a day and 365 days a year of personnel, which ensures the performance of the platforms, and analyzes the information and summarizes, . The operational management processes that control the SOC, are in place to continuously analyze the residual risk and also provide protection from intrusion by temporary security assessments. Since the management of network security is an activity that requires a lot of time and human resources, it attract businesses often happens outsource or transfer them to other companies that specialize in the field of information security service. Such a partner to entrust the management of the security of your corporate network, causes a significant cost reduction and the possibility of its own forces to concentrate on the core business. However, the security partner must provide the performance of the service by highly qualified security personnel. The service consists of the continuous monitoring of the activities of firewall, IDS and anti- virus programs, identify critical vulnerabilities etc. This is very special operations, it is therefore necessary that the employees remain constantly up to date, to the knowledge of technologies and to obtain the methods and deepen.
Possible services offered by SOC
- Proactive analysis and management of the systems and technologies of computer security
- Security Device Management
- Reporting
- Security Alert
- DDoS Mitigation
- Security Assessment
- Technical assistance
Proactive analysis and management of the systems and technologies of computer security
This service has the proactive analysis of the systems and technologies of computer security 24 hours a day to the target ( IDS, IPS, Firewall, etc.). The anti- intrusion systems allow centralized management of information security practices, so that potential attacks from the computer and the Internet and Intranet can be identified. The staff responsible for this is very specialized in general and qualified, so for example, must Security analysts only the functions of monitoring tools to know instead of the extensive facilities of the overall safety feature. The scalability of the resources of the SOC is another crucial factor; so for example it is relatively easy, a new IDS (Intrusion Detection System) to add to the already existing ones. Often, the SOC also manages a portion with respect to the policy management, eg the the reconfiguration of security equipment considered. The original configuration of the devices and the security policy must be continually updated by the development of the network of customers are tracked.
Security Device Management
The Security Device Management ( SDM) in particular develops around the two main processes:
- Fault Management
- Configuration Management.
Fault Management
The main goal of fault management is to ensure the optimum and continuous operation of the security infrastructure. The activities include:
- Permanent monitoring of the safety equipment of the customer by the SOC
- Detection and Alarm at Faults (activation Trouble Ticket )
- Determining the appropriate action to remedy the situation
- Implementation of appropriate remedial measures
- The restoration of configurations in the event of their losses after a Fault
Configuration Management
The main goal of configuration management is to ensure the continuous adaptation of the firewall structures to the needs of the customer. It covers all devices that are managed by the SOC. Configuration management includes the activities of configuration and fits Policy- or authorizations to the flow of traffic from an external to an internal source (or vice versa) to, on the basis of:
- Address of the source
- Address of the destination
- Network Protocol
- Service Protocol
- Logging of traffic.
Reporting
The log of the console or the instruments used are usually analyzed carefully and reconditions, that they may be easily understood by the customer. This reporting is particularly important because in addition to the details of any intrusion by unauthorized entities or unforeseen difficulties that were visible in the reporting period, it allows the customer to be able to carry out preventive measures.
Security Alert
The service of Security Alert is designed to inform the customer as soon as possible the discovery of new vulnerabilities to quickly generate the necessary countermeasures to mitigate or neutralize the impact of new vulnerabilities.
DDoS Mitigation
The DDoS Mitigation has to reduce the goal of the consequences of an attack of the kind of " distributed denial of service ". The task of this service is to ensure the correct introduction of measures necessary to close the security hole if a customer has received an alarm indication. The applicable countermeasures are evaluated and a " cleaning " process and the possibility of redirecting traffic to be initiated. There is a report at the end of the attack.
Security Assessment
Some items that are normally part of the activities of security management are: the vulnerability assessment and penetration testing.
The Vulnerability Assessment is designed to identify possible shortcomings in the systems and installed on those services. Such activity is carried out using specific technologies; they are configured individually for each assessment, improved and personalized.
The penetration test is performed to identify known or unknown weaknesses in the system, the Services and the Web applications that run on here. The process of penetration testing is emphasized able to very effectively the level of a particular security threat and the appropriate assessment of the impact. Such activity is using a large number of technologies that can be configured for each evaluation, improved and personalized, but also on manual way for each service performed each system installation and application.
Technical assistance
In general, the SOC can provide customers with specialized technical support for all functional problems, system injuries, but also new features and configurations for security hardware and software. Technical assistance to solve the above problems can be converted from a distance or on-site depending on the problem and Contractual arrangements between the parties.